Solved

K10 OpenID logout continously


Userlevel 2

Dear,

We have setup Kasten with OIDC integration with our Keycloak instance.

We can login in Kasten with our keycloak credentials, however, given that the Access Token has a lifetime of 5 minutes we are loged out from kasten after 5 minutes, like if the Refresh Token is not used.

 

We have configured Kasten like this:

data:

  provider-url: {{ $providerUrl | b64enc }}

  redirect-url: {{ $clusterUrlTrimmed | b64enc }}

  logout-url:   {{ $logoutUrl   | b64enc }}

  client-id:    {{ .Values.identityProvider.clientID | b64enc }}

  client-secret: {{ .Values.identityProvider.clientSecret | b64enc }}

  scopes: {{ .Values.identityProvider.scopes | b64enc }}

  usernameClaim: {{ .Values.identityProvider.usernameClaim | b64enc }}

  usernamePrefix: {{ .Values.identityProvider.usernamePrefix | b64enc }}

  groupClaim: {{ .Values.identityProvider.groupClaim | b64enc }}

 

I don’t know if this is the expected behaviour.

 

icon

Best answer by EBrockman 7 October 2022, 19:47

View original

9 comments

Userlevel 2

i have the same problem

Userlevel 2

No one facing similar issue ?

The behavior should have been fixed by 5.0.6. Please upgrade your k10 to the latest.   

Userlevel 7
Badge +11

The behavior should have been fixed by 5.0.6. Please upgrade your k10 to the latest.   

Good to hear. I have a keycloak test setup and was experiencing the same issues but thought that I was just not adept enough to get the keycloak settings right :) 

Userlevel 2

Tested with 5.0.7 and problem is still present

Tested with 5.0.7 and problem is still present

Hi Matteo, We may have to recreate this issue first. Can you please create a service request? I am going to work with you on the ticket.  thanks. Michael

Userlevel 2

Hello @Matteo.Gazzadi

At this time, we only use the lifetime of the access_token and do not use the lifetime of the refresh_token at the moment. We do have plans in the future to improve the auth-svc to be able to refresh a token before it expires.

 

Thanks

Emmanuel

Userlevel 1

We have the same issue with the OIDC integration. This is especially difficult when building something like a policy and suddenly having to login again because the session has expired.

Userlevel 1

The support just informed me about the fact that the refresh_token is not used. The feature is expected to be available early next year.

Comment